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REMARKS 

Claims 1-22 are currently pending in the application. By this amendment, claims 
6, 9, 11, 15, 19, and 21 are amended for the Examiner's consideration. The above 
amendments do not add new matter to the application and are fully supported by the 
specification. For example, support for the amendments is provided at pages 5, 7, 10, 
and 1 1 of the specification. Reconsideration of the rejected claims in view of the above 
amendments and the following remarks is respectfully requested. 

35 U.S.C. §101 Rejection 

Claims 9-21 were rejected under 35 U.S.C. §101 as being directed to non- 
statutory subject matter. Applicants respectfully amend claim 15 in attempt to further 
prosecution. This rejection is respectfully traversed with respect to claim 9. 

According to MPEP §2106, to properly determine whether a claimed invention 
complies with the statutory invention requirements of 35 U.S.C. §101, it must first be 
determined whether the claim falls within at least one of the four enumerated categories 
of patentable subject matter recited in section 101 (i.e., process, machine, manufacture, 
or composition of matter). 

After determining whether a claim falls within one of the four enumerated 
categories of patentable subject matter recited in 35 U.S.C. §101 (i.e., process, 
machine, manufacture, or composition of matter), it then becomes necessary to 
determine if the claim is directed to nothing more than an abstract idea, natural 
phenomena, or law of nature, which are not eligible for patent protection. A claim that 
falls within one of the four enumerated categories and does not cover a 35 USC §101 
judicial exception (i.e., an abstract idea, natural phenomenon, or law of nature) is clearly 
directed to statutory subject matter. However, a claim that does include a judicial 
exception may still be eligible for patent protection if it either: (A) transforms an article or 
physical object, or (B) produces a useful, concrete, and tangible result. For example, 
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the "application of a law of nature or mathematical formula to a known structure or 
process may well be deserving of patent protection." Diamond v. Diehr, 450 U.S. 175, 
187, 209 USPQ 1, 8 (1981). Also, subject matter within these exceptions that have a 
practical use will be patentable. 

Claims 9-14 

The present invention is directed to a method and system of authentication. 
More specifically, independent claim 9 recites, in pertinent part: 

receiving a UserlD and a credential string at an authentication 
proxy server, the credential string is derived from a session ID; 

sending a confirmation request from the authentication proxy to a 
portal, the confirmation request includes the credential string; 

receiving a response at the authentication proxy for the 
confirmation request; and 

validating the UserlD using a light weight directory access protocol 
(LDAP) lookup request and the response. 

Applicants respectfully submit that the invention recited in claim 9 is directed to a 
process, and, therefore, falls within one of the four enumerated categories of patentable 
subject matter recited in section 101. Applicants further submit that the claimed 
invention comprises a process that produces a useful, concrete, and tangible result, 
and, therefore, is directed to statutory subject matter. Additionally, Applicants submit 
that the claimed invention also has a practical use. 

In the Office Action, the Examiner asserts that the claimed invention fails to recite 
statutory subject matter because it is not tangibly embodied on an appropriate 
computer-readable storage medium. Applicants submit that embodying a method on a 
computer readable storage medium is not a requirement of patentability. Applicants 
submit that the claimed invention, regardless of whether on a computer readable 
medium, produces a useful, concrete, and tangible result for the reasons described 
herein. As the Examiner appears to reject claim 9 because it does not produce a 



{P27371 00270921.DOC} 



Serial No.: 10/791,322 



..9.. 



END920030143US1 



"tangible result," the following rebuttal is limited to this rejection. MPEP §2106 provides 

the following guidance for the "tangible result" prong of the §101 analysis: 

The tangible requirement does not necessarily mean that a claim must 
either be tied to a particular machine or apparatus or must operate to 
change articles or materials to a different state or thing. However, the 
tangible requirement does require that the claim must recite more than a 
35 U.S.C. 101 judicial exception, in that the process claim must set forth a 
practical application of that judicial exception to produce a real-world 
result. Benson, 409 U.S. at 71-72, 175 USPQ at 676-77 (invention 
ineligible because had "no substantial practical application."). "[A]n 
application of a law of nature or mathematical formula to a ... process may 
well be deserving of patent protection." Diehr, 450 U.S. at 187, 209 USPQ 
at 8 (emphasis added); see also Corning, 56 U.S. (15 How.) at 268, 14 
L.Ed. 683 ("It is for the discovery or invention of some practical method or 
means of producing a beneficial result or effect, that a patent is granted . . 
."). In other words, the opposite meaning of "tangible" is "abstract." 

Claim 9 recites a method for authenticating a user request for a software 
application. The method includes a number of steps that practically apply the 
information obtained in the present invention. For example, claim 9 recites "receiving a 
UserlD and a credential string at an authentication proxy server..." This feature takes a 
UserlD and credential string, and uses these features by "receiving" them at an 
authentication proxy server. Applicants submit this "receipt" is a practical application of 
the information, and more than mere abstraction. 

Applicants further submit that claim 9 produces additional practical applications 
of the information used in the present invention. For example, claim 9 recites "sending 
a confirmation request from the authentication proxy to a portal, the confirmation 
request includes the credential string." This feature practically applies the credential 
string by including it in the confirmation request and "sending" it to a portal. After the 
confirmation is sent, a response is "received" as further recited in claim 9. Applicants 
submit that the steps of "sending" and "receiving" employ practical applications of 
information used in the present invention, and are more than mere abstractions. 
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Hence, the steps set forth in claim 9 produce real-world results, whereby a user 
is authenticated without having his confidential credentials sent to target applications 
where the credentials are subject to security breaches. Therefore, Applicants submit 
that the steps of "receiving" and "sending" responses are more than mere abstract 
ideas, and the steps produce useful, concrete, and tangible results. As such, the claims 
are directed to statutory subject matter, and the instant rejection under 35 U.S.C. §101 
is improper. 

Accordingly, Applicants respectfully request that the rejection over independent 
claim 9 be withdrawn. Applicants further request that the rejection over claims 10-14 be 
withdrawn because they depend from claim 9 and include the features of the base claim 
9. 

Claims 15-21 

Claim 15 was rejected under 35 U.S.C. §101. In an attempt to satisfy the 

Examiner, claim 15 is amended as follows: 

A system for authenticating a session stored on a computer 
readable storage medium, comprising computer readable program code , 
comprising: 

Applicants submit that this language is sufficient to have the system for 
authenticating a session be tangibly embodied on an appropriate computer-readable 
storage medium. As such, Applicants respectfully request that the rejection over claim 
15 be withdrawn. 

Applicants further submit that claims 16-21 depend from claim 15 and include the 
features of the base claim 15. Accordingly, Applicants respectfully submit that the 
rejection over claims 16-21 be withdrawn. 
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35 U.S.C. §102 Rejection 

Claims 1-3, 5-6, 8, 15, 19-20, and 22 were rejected under 35 U.S.C. §1 02(b) for 
being anticipated by U. S. Patent No. 7,100,054 B2 issued to Wenisch, era/. 
("WENISCH"). This rejection is respectfully traversed. 

According to MPEP §2131, 

"A claim is anticipated only if each and every element as set forth in the 
claim is found, either expressly or inherently described, in a single prior art 
reference." Verdegaal Bros. v. Union Oil Co. of California, 814 F.2d 628, 
631, 2 USPQ2d 1051, 1053 (Fed. Cir. 1987). 

However, Applicants submit that WENISCH does not teach every feature of the rejected 
claims. For example, Applicants submit that WENISCH does not show the combination 
of the following features of respective claims 1,15, and 22. 

Claims 1 and 22 

Claim 1 recites, in pertinent part: 

... creating a credential string which is derived from a session ID... 

Claim 22 recites, in pertinent part: 

... create a credential string which is derived from a session ID... 

The Examiner is of the opinion that WENISCH shows all of the features of 
independent claims 1 and 22. More specifically, the Examiner is of the opinion that 
WENISCH shows creating a credential string derived from a session ID. The Examiner 
supports this argument by equating the claimed "credential string" to the "challenge 
string" found in WENISCH. Applicants respectfully disagree with the Examiner's 
analysis and submit that WENISCH does not derive a credential string from a session 
ID, for example. 

WENISCH teaches that the "challenge string" can be either a sequence number 
or a session identifier or another numerical alphanumerical identifier. (Col. 1, lines 53- 
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55.) After the challenge string is chosen, a login packet is created. The login packet 
can contain the challenge string, the username, and the password or other credentials 
in encrypted form. (Col. 3, lines 42-45.) The login packet can be represented by a hash 
of the data in these fields, which is then sent to the web server. 

WENISCH does not show the step of deriving a credential string from a session 
ID. For example, in WENISCH, if a session ID is chosen to be the challenge string, and 
the session ID is "1234" then the challenge string would be "1234." In other words, the 
challenge string and the session ID become equivalents. The challenge string is not 
derived from a session ID. 

As a further explanation, in one embodiment of the present invention, a 
credential string may be derived from a session ID by hashing the session ID. 
Therefore, in the present invention, a session ID of "1234" may be derived to form a 
credential string of "8362" or "9422a1." Hence, the credential string is derived from the 
session ID and is not the equivalent of the session ID - 
Dependent Claims 

Claims 2, 3, 5, 6, and 8 are dependent claims, depending on distinguishable 
independent claims. For these reasons, Applicants submit that these claims are thus 
allowable for the reasons of their dependencies on the distinguishable independent 
claims. Applicants submit that these claims also include subject matter which is 
distinguishable over WENISCH. 

Claims 2 and 5 

Claim 2 recites, in pertinent part: 

... maintaining a password at a portal and not sending the password to 
authenticate the UserlD. 

Claim 5 recites, in pertinent part: 
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... the sending of a UserlD and the credential string avoids at least one of 
sending a user's password outside of a portal server... 

As to claims 2 and 5, the Examiner asserts WENISCH does not send the 
password outside of the portal server. Applicants respectfully disagree with the 
Examiner. WENISCH sends a login packet, which includes the password, to the web 
server which verifies the hash and decrypts the password. (Col. 3, lines 58.) The web 
server then requests an encryption key from the authentication provider and encrypts 
the user's password and/or credentials using the encryption key. Next, the web server 
transmits the encrypted data to the authentication provider. (Col. 4, lines 4-11.) This 
process is illustrated in Fig. 2, which shows the encrypted password and username 24 
being sent from the web server to the authentication provider. Therefore, WENISCH 
teaches sending the password outside of the web server for authentication. This is 
contrary to the present invention. Thus WENISCH teaches away from the claimed 
invention. Therefore, Applicants respectfully submit claims 2 and 5 are not anticipated 
by WENISCH. 

Claim 3 

Claim 3 recites, in pertinent part: 

... wherein the credential string is an encrypted hash of the session ID. 

In rejecting claim 3, the Examiner attempts to equate the credential string in the 
present invention to the "login packet" in WENISCH. First, this is contrary to the 
Examiner's prior assertion in independent claim 1 that the credential string is the same 
as the "challenge string" in WENISCH. Second, the login packet in WENISCH is not an 
encrypted hash of the session ID. Instead, the login packet contains the challenge 
string, such as the session ID provided by the server, the username, and the password 
or other credentials in encrypted form and a hash of the data in these three fields. (Col. 
3, lines 42-45.) Therefore, the login packet is an hash of data in all three fields instead 
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of an encrypted hash of the session ID. Therefore, claim 3 is not anticipated by 
WENISCH. 

Claim 6 

Claim 6 recites, in pertinent part: 

... checking whether the session ID and the credential string have been 
previously received within a predetermined time period... 

The Examiner asserts that WENISCH checks to see whether the session ID and 
the credential string have been previously received within a predetermined time period. 
The Examiner bases this assertion on a security feature in WENISCH wherein a 
session ID preferably "expires" if the user doesn't make a page request after a 
predetermined time interval. (Col. 4, lines 33-35.) For example, in WENISCH, if a user 
is idle for five minutes, and the predetermined time interval is two minutes, then the 
users session ID will "expire" or similarly "time out" after the two minutes is over due to 
lack of use. Contrarily, the predetermined time period in the presently claimed 
invention does not "time out" or "expire" as described in WENISCH. Instead, the 
predetermined time period in the presently claimed invention is used to determine if a 
second request having the same UserlD and credential string has been recently 
received. If a second request is received then procedures associated with a network 
security breach may be initiated. Therefore, Applicants respectfully submit claim 6 is 
not anticipated by WENISCH. 

Claim 8 

Claim 8 depends on distinguishable independent claim 1. Therefore, Applicants 
submit that claim 8 is allowable for the reasons set forth in distinguishable independent 
claim 1. 
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Claim 15 

Claim 15 recites, in pertinent part: 

... wherein the credential string validation component checks whether the 
credential string has been previously received for validation within a 
predetermined time period. 

The Examiner asserts that the elements of claim 15 listed above is rejected for 
similar reasons as claim 6. However, Applicants note that claim 15 is not the same as 
claim 6. Therefore, Applicants respectfully submit that this rejection is improper form. 

Using the passage relied upon by the Examiner in claim 6, Applicants 
respectfully submit that WENISCH does not check whether the credential string has 
been previously received for validation within a predetermined time period. As 
described above, the predetermined time period in WENISCH is a security feature 
wherein a session ID preferably "expires" if the user does not make a page request after 
a predetermined time interval. (Col. 4, lines 33-35.) This expiration is similar to a time 
out feature. Contrarily, the predetermined time period in the present invention does not 
"time out" or "expire" as described in WENISCH. Therefore, claim 6 is not anticipated 
by WENISCH. 

Dependent Claims 

Claims 19 and 20 are dependent claims, depending on distinguishable 
independent claim 15. For these reasons, Applicants submit that these claims are thus 
allowable for the reasons of their dependencies on distinguishable independent claim 
15. Applicants submit that these claims also include subject matter which is 
distinguishable over WENISCH. 

For example, claim 19 includes distinguishable subject matter for reasons similar 
to dependent claim 6. Additionally, claim 20 includes distinguishable subject matter for 
reasons similar to dependent claims 2 and 5. 
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Accordingly, Applicants respectfully request that the rejection over claims 1-3, 5, 
6, 8, 15, 19, 20, and 22 be withdrawn. 

35 U.S.C. §103 Rejection 

Claims 4, 7, 9-14, 16-18, and 21 were rejected under 35 U.S.C. §103(a) for being 
unpatentable over U. S. Patent No. 7,100,054 issued to WENISCH in view of U. S. 
Patent No. 6,374,359 B1 issued to Shrader, etal. ("SHRADER"). This rejection is 
respectfully traversed. 

In order to reject a claim under 35 U.S.C. §1 03(a), the examiner bears the initial 
burden of factually supporting any prima facie conclusion of obviousness. If the 
examiner does not produce a prima facie case, the applicant is under no obligation to 
submit evidence of nonobviousness. To establish a prima facie case of obviousness, 
three basic criteria must be met. First, there must be some suggestion or motivation, 
either in the references themselves or in the knowledge generally available to one of 
ordinary skill in the art, to modify the reference or to combine reference teachings. 
Second, there must be a reasonable expectation of success. Finally, the prior art 
reference (or references when combined) must teach or suggest all the claim 
limitations. The teaching or suggestion to make the claimed combination and the 
reasonable expectation of success must both be found in the prior art, and not based on 
applicant's disclosure. In re Vaeck, 947 F.2d 488, 20 USPQ2d 1438 (Fed. Cir. 1991). 
See MPEP §2142. 

When rejecting a claim under 35 U.S.C. §103, the Examiner should set forth in 
the office action: 

(A) the relevant teachings of the prior art relied upon, preferably with 
reference to the relevant column or page number(s) and the line 
number(s) where appropriate, 

(B) the difference or differences in the claim over the applied reference(s), 
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(C) the proposed modification of the applied reference(s) necessary to arrive 
at the claimed subject matter, and 

(D) an explanation why one of ordinary skill in the art at the time the invention 
was made would have been motivated to make the proposed modification. 

Applicants submit that no proper combination of the applied art teaches or 
suggests each and every feature of the claimed invention. 

Claims 9 and 10 

Applicants note that the Examiner did not address all of the features of claim 9, 

hence, the Examiner did not properly reject claim 9 as being obvious in view of 

WENISCH and SHRADER under 35 U.S.C. § 103(a). Specifically, the Examiner has 

grouped together independent claim 9 and dependent claim 10 to make a single 

rejection under 35 U.S.C. §1 03(a). In this rejection, the Examiner makes reference to 

the features of claim 9 only, without reference to any of the features of claim 1 0. Also, 

to support this rejection, the Examiner has referenced the 35 U.S.C. §1 02(b) rejection of 

claim 1 . However, the Examiner does not appear to consider the specific features of 

claim 9 or claim 10, which some of these features are clearly different than that of claim 

1 . As such, the Examiner has not covered all of the features of claims 9 and 10. This 

being the case, Applicants submit that a clear issue was not developed between the 

Examiner and Applicants. Thus, the next Office Action, which should clarify this issue, 

cannot be made final. 

According to MPEP 706, 

Before final rejection is in order a clear issue should be developed 
between the examiner and applicant. To bring the prosecution to as 
speedy conclusion as possible and at the same time to deal justly by both 
the applicant and the public, the invention as disclosed and claimed 
should be thoroughly searched in the first action and the references fully 
applied; and in reply to this action the applicant should amend with a view 
to avoiding all the grounds of rejection and objection. 

Additionally, MPEP 706.07(a) notes: 
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Under present practice, second or any subsequent actions on the 
merits shall be final, except where the examiner introduces a new ground 
of rejection that is neither necessitated by applicant's amendment of the 
claims nor based on information submitted in an information disclosure 
statement filed during the period set forth in 37 CFR 1 .97(c) with the fee 
set forth in 37 CFR1.17(p). ... 

Furthermore, a second or any subsequent action on the merits in 
any application ... will not be made final if it includes a rejection, on newly 
cited art, other than information submitted in an information disclosure 
statement filed under 37 CFR 1 .97(c) with the fee set forth in 37 CFR 1.17 
(p), of any claim not amended by applicant or patent owner in spite of the 
fact that other claims may have been amended to require newly cited art. 

Accordingly, Applicants respectfully submits that the Examiner may not make the 
next action final, as in the previous Office Action a "clear issue [was not] developed 
between the examiner and applicant". 

Furthermore, as best can be understood from the Examiner's arguments, 
WENISCH does not disclose the features in claim 9. 

Independent claim 9 recites, in pertinent part: 

...receiving a UserlD and a credential string at an authentication 
proxy server, the credential string is derived from a session ID; 

sending a confirmation request from the authentication proxy to a 
portal, the confirmation request includes the credential string; 

receiving a response at the authentication proxy for the 
confirmation request; and 

validating the UserlD using a light weight directory access protocol 
(LDAP) lookup request and the response. 

More specifically, neither WENISCH nor SHRADER disclose a credential string 
derived from a session ID. As described above, WENISCH does not derive a 
"challenge string." (See col. 1, lines 53-55.) Instead, WENISCH equates a "challenge 
string" to a session ID such that the two become the same. For example, if the session 
ID is "1234" then the challenge string would be "1234." This is contrary to the present 
invention which includes a credential string that is derived from the session ID and is not 
the equivalent of the session ID. 
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While Applicants assert neither WENISCH nor SHRADER disclose a credential 
string, Applicants do submit, in an attempt to advance prosecution, that SHRADER 
does disclose a light weight directory access protocol (LDAP) lookup request and the 
response. 

Dependent Claims 

Applicants submit that claims 4, 7, 10-14, 16-18, and 21 depend from an 
allowable base claims. As such, claims 4, 7, 10-14, 16-18, and 21 include the features 
of the base claims. Accordingly, Applicants respectfully submit that claims 4, 7, 10-14, 
16-18, and 21 include allowable subject matter. 

Accordingly, Applicants respectfully request that the rejection over claims 4, 7, 
10-14, 16-18, and 21 be withdrawn. 

Other Matters 

Applicants submit that the Examiner did not properly reject claims as noted 
above. While stating that these claims were rejected, the Examiner never addressed 
the features of these claims as rejected by the combination of references as applied by 
the Examiner. For these reasons, Applicants submit that a clear issue was not 
developed between the Examiner and Applicants. As such, the next Office Action, 
which should clarify this issue, cannot be made final. (See MPEP 706 and 706.07(a), 
which are referenced above.) 

Accordingly, Applicants respectfully submit that the Examiner may not make the 
next action final, as in the previous Office Action a "clear issue [was not] developed 
between the examiner and applicant". 
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CONCLUSION 



In view of the foregoing amendments and remarks, Applicants submit that all of 
the claims are patentably distinct from the prior art of record and are in condition for 
allowance. The Examiner is respectfully requested to pass the above application to 
issue. The Examiner is invited to contact the undersigned at the telephone number 
listed below, if needed. Applicants hereby makes a written conditional petition for 
extension of time, if required. Please charge any deficiencies in fees and credit any 
overpayment of fees to Attorney's Deposit Account No. 19-0089. 



Greenblum & Bernstein, P.L.C. 
1950 Roland Clarke Place 
Reston, Virginia 20191 
Telephone: 703-716-1191 
Facsimile: 703-716-1180 



Respectfully submitted, 




Andrew M. Calderon 
Registration No. 38,093 
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